Vulnerability Details : CVE-2022-23134
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Products affected by CVE-2022-23134
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:6.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:6.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:6.0.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:6.0.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:6.0.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:6.0.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:6.0.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:6.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
CVE-2022-23134 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Zabbix Frontend Improper Access Control Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2022-23134
Added on
2022-02-22
Action due date
2022-03-08
Exploit prediction scoring system (EPSS) score for CVE-2022-23134
61.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-23134
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST | |
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
2.2
|
1.4
|
Zabbix |
CWE ids for CVE-2022-23134
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: security@zabbix.com (Secondary)
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-23134
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
[SECURITY] Fedora 34 Update: zabbix-5.0.19-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
[SECURITY] Fedora 34 Update: zabbix-5.0.19-1.fc34 - package-announce - Fedora mailing-listsRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
[SECURITY] Fedora 35 Update: zabbix-5.0.19-1.fc35 - package-announce - Fedora mailing-listsRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
[SECURITY] Fedora 35 Update: zabbix-5.0.19-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html
[SECURITY] [DLA 2914-1] zabbix security updateMailing List;Third Party Advisory
-
https://support.zabbix.com/browse/ZBX-20384
[ZBX-20384] Possible view of the setup pages by unauthenticated users if config file already exists (CVE-2022-23134) - ZABBIX SUPPORTIssue Tracking;Patch;Vendor Advisory
Jump to